Audit Your System

Routine audits of surveillance systems must be employed to ensure compliance and cost-effectiveness and to facilitate ongoing feedback and oversight.

Uncontrolled access to data, with no audit trail of activity and no oversight would be going too far.

Admiral John Poindexter

Description:

Audit programs serve a crucial oversight role in determining compliance with guidelines, analyzing effectiveness, and improving practices. They identify deviations from the standards required by law and other problematic practices. Without a clear accountability program in place, surveillance systems are destined to be misused and civil liberties violated.

A robust audit program should use a variety of mechanisms to ensure that the surveillance policies and procedures are followed. These include utilizing internal personnel to evaluate compliance with policies, employing independent external oversight, and specifying legally enforceable sanctions for violations. Recordkeeping must include the reason for each use of surveillance or access to information collected by the technology. Technical measures such as access controls and audit logs also must be in place, and they should be reinforced by automated audit mechanisms to monitor for misuse. Placing oversight authority with a city council or public oversight board may also increase the accountability of surveillance programs.

Strong oversight and auditing can help identify both isolated and ongoing abuses of surveillance technology, and legally enforceable sanctions can deter both. Audits should cover everything from data retention compliance to contractual requirements with third party recipients of surveillance information and internal technical controls. Audit reports should be available to the public, along with plans of action that are taken in response to any findings.

QUESTIONS TO ASK

Have audit mechanisms been prepared for a given surveillance system?

Will there be independent oversight and accountability processes?

Are protections in place to ensure that audits be routinely updated to account for any changes to the surveillance system or its use?